peter hessler - inactive is a user on You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here. @kellerfuchs @phessler @kurtm IPv6 doesn't NAT. It has prefix translation, which is different.

peter hessler - inactive

@mwlucas @kurtm @kellerfuchs the hell it doesn't have NAT.

has supported for 15+ years.

· Web · 1 · 3

@phessler @kellerfuchs @kurtm @mwlucas Can someone explain to me why one would want NAT on a v6 network in the first place? I really don't know.

@ckeen @mwlucas @kurtm @kellerfuchs mostly because it *really* pisses off the IPv6 Zealots.

Less snarky: because you didn't get a dedicated prefix assigned to your office,and you don't want to renumber every time your ISP moves your assignment.

Static addresses don't exist in the real-world, thanks $sales!

@phessler @kellerfuchs @kurtm @mwlucas Indeed here at home I get v6 with changing prefixes because it is not a business contract...

@ckeen @mwlucas @kurtm @kellerfuchs yea. changing your internal dns to chase those addresses is annoying and a waste of time.

so NAT works around your ISPs dumb-fuckery. the IETF answer is "get/become a better ISP", which is clearly bullshit.

sucks? yes. works around the problem? yes.

@phessler @ckeen @mwlucas @kurtm @kellerfuchs @Polishdub The other option would be using static ULA addresses for your internal communication, and variable provider-assigned addresses for external connections.

But yeah, just using NAT is probably easier, and also leaks slightly less information about the internal network.

@galaxis @ckeen @mwlucas @kurtm @kellerfuchs see, this kind of bullshit is why IPv6 is such a shitshow. (don't even get me started on the privacy addresses)

IPv4 is crap, but at least it is predictable crap.

@phessler @kellerfuchs @mwlucas @ckeen @galaxis
I'm pretty sure IPv6 was created to be the perfect example of second system effect.

@phessler @kellerfuchs @kurtm @ckeen Ah, I see.

I have no dog in this fight, just trying to keep up with reality...

@phessler @kellerfuchs @mwlucas @ckeen
Don't forget DNS. The IPv6 folks seem to wave their hands saying "taking care of DNS".

So, you either have to allow any random client to update entries on your DNS server, or you must do static addressing with static DNS entries. Which you then have to update every time your ISP moves you around.

I really think most of the IPv6 zealots have never run a sizable network of machines.

@phessler @kellerfuchs @kurtm Is that "official standard," or something that OpenBSD did?

Last I heard, saying "IPv6 NAT" caused screaming fights at IETF.

@mwlucas @kurtm @kellerfuchs it was less code to write in our NAT stack.

afaik, there isn't an rfc talking about how to do ipv4 nat.

and yes, I get death threats from ietf-izens when I mention that we have it.

@phessler @mwlucas @kurtm @kellerfuchs @Polishdub

I heard ipv6 nat is the current recommended solution for multihomed networks

@mwlucas @phessler @Polishdub @kellerfuchs @kurtm Well, NAT certainly has it's downsides too, like I'm not sure having additional protocol variants just in order to pass NAT gateways are such a great thing (IPSEC NAT traversal, anyone?)...
But on the other hand, most of the time I really don't want end-to-end connectivity with anyone from the internet to my desktop, even though that would make life much easier for a lot of applications...

@galaxis @mwlucas @phessler @kellerfuchs
IPv6 zealots don't believe in nuance. There is only their pure (incomplete) vision of the perfect internet. We should just obey.

It's when they refuse to admit any advantages to certain things, they lose me. Is NAT ideal? No. Does it provide benefits in certain scenarios? Yes.

@kurtm @kellerfuchs @mwlucas @galaxis

they also (seriously) want to kill all statefull firewalls.

@phessler @galaxis @kellerfuchs @kurtm

I'm great with idealistic solutions. But if you want me to use yours, it must address the real world.

@phessler @galaxis @kellerfuchs @kurtm

This is the funniest toot I've seen in weeks.

@phessler @kurtm @kellerfuchs @Polishdub @mwlucas @galaxis The "/64 for each host" thing may be coming from the Docker-space. In that instance, the host is the subnet's router. Unless they're seriously giving a /64 to each container. Which I don't buy.

@sysadmin1138 @kurtm @kellerfuchs @mwlucas @galaxis

per system / container / jail / etc.

one suggestion is to use the /64 to replace port numbers

@phessler Right. First we standardize on port 443 with http/2 as transport encapsulation for everything, and then we use some kind of reserved addresses to differentiate the endpoints.

Sounds like an excellent idea 🤕

@mwlucas @sysadmin1138 @kellerfuchs @galaxis @phessler

I almost feel like we're living in the Cthulu mythos. Except for networking.

@mwlucas But think of it! It would be a blend of your fiction and non-fiction writing experiences. Like when you write fiction, but with all the profanity of when you write non-fiction.

@kurtm I'll put it on the list, for right after I write the "Buddhas vs Dinosaurs" series.

@sysadmin1138 Maybe things like RDMA could make use of additional addresses? Or the host uses them to create more / dedicated endpoints for specific services?

Tbh I don't see a real problem with that proposal, even though I don't really like the "just always use a /64 for everything, we'll surely find an appropriate use" meme.

@sysadmin1138 @phessler @kurtm @kellerfuchs @Polishdub @mwlucas @galaxis

If I may jump in...

The /64-per-host thing came way before docker. And it really should be /64-per-vaguely-defined-subnet. Which is probably not a great answer but the general goal seems to be "everyone should have as many IP addresses as they ever need".

Which seems reasonable to me. There's no reason for IP addresses to be scarce, and NAT breaks lots of assumptions.

@icefox @sysadmin1138 @phessler @kurtm @kellerfuchs @Polishdub @mwlucas Well yes, but the jump from "a /64 for every subnet" to "a /64 for every host" involves additional complexity, like a routing protocol, maybe?

For hosts that run things like containers, that's probably not going to be a problem, and it really is preferable to just using heaps of addresses from the directly connected subnet, looking at neighbor table sizes of common network equipment. But for simple end hosts, it's overkill.

@galaxis @sysadmin1138 @phessler @kurtm @kellerfuchs @Polishdub @mwlucas

Oh yeah it's totally overkill. They really could have gotten away with the smallest dividing unit being, like, a /96 or ,aybe a /112 or something and life would be fine.

I think they just said "well there's no kill like overkill" and ran with it.

@icefox @mwlucas @Polishdub @kurtm @phessler @sysadmin1138 @galaxis
/64 is not the smallest dividing unit, even when using SLAAC, AFAIK.

However, the assumption got backed in many-enough places that using /64-sized things probably saves you a bit of a headache.

@icefox @sysadmin1138 @kurtm @kellerfuchs @mwlucas @galaxis

The assumptions that NAT breaks, are the same assumptions that break under statefull firewalling. Plus, embedded IPs in the data.

Any application that breaks under NAT, is badly designed and needs to die in a fire.

@phessler @sysadmin1138 @kurtm @kellerfuchs @Polishdub @mwlucas @galaxis

I confess we are bumping against the limits of my intimate understanding here, so I may be wrong...

...but consider that it's only been in the last 5 years or so with UPnP (which is a security dumpster fire already) that NAT has NOT broken everything that allows other people to connect to a system? Life gets way simpler when you have direct end-to-end public connections. And no less secure when you firewall properly anyway.

@galaxis @mwlucas @phessler @Polishdub @kellerfuchs @kurtm Making like easier for applications is arguably why you *don't* want this. Usability gains notwithstanding, malware is going to have a field day with that.